CVE-2023-2017: Server-Side Template Injection in Shopware 6 Allows Remote Code Execution via Bypassing Security Extension Validation

A Server-side Template Injection (SSTI) vulnerability has been discovered in Shopware 6, an open-source e-commerce platform. This vulnerability affects Shopware 6 versions v6.4.20. and earlier, as well as release candidates v6.5..-rc1 to v6.5..-rc4. Both shopware/core and shopware/platform GitHub repositories are impacted by this vulnerability. Remote attackers with access to a Twig environment without the Sandbox extension can exploit this issue to execute arbitrary PHP code/commands by bypassing the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension. This is a bypass of the previously reported CVE-2023-22731. Users are advised to upgrade to version v6.4.20.1 to resolve this issue.

Vulnerability Details

When remote attackers have access to a Twig environment without the Sandbox extension, they can bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension to call any arbitrary PHP function and thus execute arbitrary code/commands. The vulnerability can be exploited by using fully-qualified names, supplied as an array of strings, when referencing callables.

Here is a code snippet demonstrating a vulnerable implementation

namespace Shopware\Core\Framework\Adapter\Twig;

class SecurityExtension extends \Twig\Extension\AbstractExtension {
    // vulnerable code omitted for brevity
    public function callFunctionSafely(array $allowedFunctions, string $functionName, array $arguments) {
        if (in_array($functionName, $allowedFunctions)) {
            return call_user_func_array($functionName, $arguments);
        }

        throw new IllegalAccessException(sprintf('The function "%s" is not allowed.', $functionName));
    }
}

In this example, the callFunctionSafely method checks if the supplied $functionName is present in the $allowedFunctions array. If found, it executes the function with the associated arguments. However, this check can be bypassed by supplying string arrays with fully-qualified names.

The exploitation of this vulnerability could be performed in the following way

1. Obtain access to a Twig template where the security extension is not enabled, typically by leveraging other vulnerabilities or misconfigurations.

Inject malicious code into the template that takes advantage of the vulnerability, for example

{% set functionName = ["Shopware\\Core\\Framework\\FunctionToExecute"] %}
{{ functionName|join('.')() }}

3. When the template is rendered, the malicious code will execute the arbitrary PHP function Shopware\Core\Framework\FunctionToExecute, potentially running arbitrary code/commands on the affected system.

Mitigation

To remedy this vulnerability, users should update their Shopware 6 installations to version v6.4.20.1 or later, as suggested by the original advisory:
- https://github.com/shopware/platform/security/advisories/GHSA-9vjc-h2jp-x7rf

References

- Original advisory
- Shopware 6 v6.4.20.1 release notes
- Shopware/Core GitHub repository
- Shopware/Platform GitHub repository

Conclusion

The discovered SSTI vulnerability in Shopware 6 poses a significant risk to users with outdated installations, given the potential for remote execution of arbitrary code/commands. It is crucial for users to promptly update their Shopware 6 installations to version v6.4.20.1 or later to address this issue. In addition to upgrading the software, users should ensure that their development and deployment practices follow security best practices to minimize the risk of introducing similar vulnerabilities in the future.

Timeline

Published on: 04/17/2023 11:15:00 UTC
Last modified on: 04/28/2023 14:27:00 UTC